Did the distributors of popular peer-to-peer file-sharing programs such as Kazaa, LimeWire and Morpheus include features in their products that they knew, or should have known, could cause users to inadvertently share sensitive information on their computers with other users of the software?
According to the U.S. Patent and Trademark Office (USPTO), the answer is an unequivocal yes. The agency last week released an 80-page report based on an analysis of five specific features included in file-sharing software from Kazaa, LimeWire, Morpheus, BearShare and eDonkey between 2003 and 2006.
It concludes that the distributors of the programs repeatedly deployed features "that had a known propensity to trick users" into unknowingly sharing files on their computers with others. "Some distributors even responded to reports of inadvertent sharing by releasing new versions of their programs that seemed improved, but actually perpetuated inadvertent sharing caused by features previously deployed," the report noted.
More investigation is needed to determine whether the distributors included the features with the intent to induce copyright infringement or inadvertent file sharing, the report noted.
The issues raised in the report go beyond just copyright infringement and illegal file sharing, because the features that were studied pose a real threat to the security of personal, corporate and government data on computers in which such programs are running, said Jon Dudas, under secretary of commerce for intellectual property and director of the USPTO.
The primary objective in releasing the report is to raise awareness of the issue among those who can do something about it, Dudas said. He added that copies of the report have been forwarded to the Department of Justice, the Federal Trade Commission and the National Association of Attorneys General.
The distributors of Morpheus, Kazaa and LimeWire did not immediately respond to requests for comment. EDonkey's software is no longer available.
Among the features that were analyzed in the report were the following: redistribution features that, by default, caused users to automatically upload and share all of the files they downloaded with strangers; share-folder and search-wizard features that enabled not just the sharing of copyrighted files but also of other information on a user's computer; and coerced-sharing features that made it far more difficult for users to disable the sharing of folders used to store downloaded files.
Several of these features were previously known to be dangerous, Dudas said.
For example, research from as far back as 2003 had shown that inadvertent file sharing could be caused by the search-wizard and share-folder features, the report noted. However, that did not stop the distributors from deploying "more aggressive" versions of such functions in later products, it said. The same is true of the other features that were studied in the report as well.
The USPTO report also provided examples in which the inadvertent sharing of information enabled by such features resulted in serious consequences. It quoted a 2005 information bulletin from the U.S. Department of Homeland Security mentioning documented incidents of peer-to-peer file sharing resulting in sensitive government documents ending up on "non-U.S computers." It also mentioned a November 2006 case in which the district attorney in Denver indicted a gang of identity thieves who had used LimeWire to steal names and account information from scores of individuals and businesses around the country.